Infosec in brief We gather everyone’s still easing themselves into the New Year. Deleting screens of unread emails, putting on a brave face in meetings, and slowly getting up to speed. While you’re recovering from the Christmas break, Meta has been busy introducing fresh ways to monetize your web surfing habits while dressing it up as a user experience improvement.

The latest attempt to extract more sellable data comes in the form of link history, which lists the webpages you’ve visited using the browser built into Meta’s apps. Link history stores records for 30 days, can be used to recall pages previously read, and excludes links sent in messages. This could be convenient, to be sure.

Less prominently mentioned on help pages describing the feature on Facebook and Instagram is, of course, perhaps the real reason for the capability: “We may use link history information from our browser to improve your ads across Meta technologies.” 

And there we have it: A new feature that’s actually a way to boost targeted advertising after changes by Apple and others hobbled Meta’s ability to collect info on its users. If you don’t want to be hit with adverts tailored to your browsing habits, see the above links to opt out.

Critical vulnerabilities: A very patchy new year

There’s no rest for security teams heading into 2024, with the past week bringing us several security fixes for critical vulnerabilities, including several newly-reported issues in Chrome.

The latest stable channel release for Chrome Desktop includes six security fixes, four of which Google singled out for recognition in the release notes. Two issues in ANGLE were addressed, as were use after free issues in WebAudio and WebGPU. Patch asap! 

Elsewhere:

  • CVSS 9.8 – Multiple CVEs: Rockwell Automation FactoryTalk Activation Manager software v4.00 contains a couple of out-of-bounds write bugs that could give an attacker full system control.
  • CVSS 9.8 – CVE-2023-6448: Unitronics Vision Series PLCs and HMIs are being shipped with default administrative passwords that need changing and CISA warns it’s under active exploitation.
  • CVSS 9.6 – CVE-2023-39336: Ivanti Endpoint manager 2022 SU4 and all prior versions are vulnerable to SQL injection from anyone with access to the same network as a vulnerable machine.  

A couple of new exploits have been detected being used in the wild this week, too:

  • CVSS 8.8 – CVE-2023-7024: We reported on this Chrome heap buffer overflow at the end of last year
  • CVE-2023-7101: There’s no CVSS score available for this newly-discovered vulnerability in Spreadsheet::ParseExcel, a Perl module used to parse Excel files. Input isn’t being validated properly, opening up an RCE window. 

Watch out for Twitter hijackings

If you missed it, Google-owned security firm Mandiant embarrassingly had its Twitter account hijacked this past week for a short while and turned into a pitch machine for cryptocurrency scams. 

Another victim, web3 firm CertiK, was hit by a similar group of miscreants as well. As in Mandiant’s case, the CertiK’s hijackers tried to trick the firm’s crypto-conscious followers into falling for scams. 

It’s not entirely clear how either incident happened. Mandiant noted: “As you likely noticed … Mandiant lost control of this X account which had 2FA enabled. Currently, there are no indications of malicious activity beyond the impacted X account, which is back under our control. We’ll share our investigation findings once concluded.”

Consider the hijacks to be a reminder: Don’t just check to be sure 2FA is still enabled on your X account, take steps to make sure these tokens can’t be phished or obtained along with login credentials.

Apropos of nothing, we couldn’t help but notice the chief exec of a collapsed crypto fund seemingly never existed in the first place…

Nigerian not-a-prince cuffed over BEC

A Nigerian national has been arrested and is awaiting extradition to the US on charges he defrauded two American charities out of more than $7.5 million via a business email compromise scheme. 

According to the US Justice Department, Olusegun Samson Adejorin allegedly purchased a credential-stealing tool and used it to harvest details for the two charities, one in Maryland and the other in New York. 

Using the stolen credentials, Adejorin allegedly asked the Maryland charity’s bank to release large sums of cash to the New York charity. This isn’t immediately suspicious, as the New York charity used the Maryland one for investment services. Withdrawals over $10,000 required approval from the Maryland charity, which Adejorin, allegedly having a foothold in both firms, was happy to provide. The bank details, of course, weren’t for the New York charity, but controlled by Adejorin, it is claimed.

It’s not clear how Adejorin was caught, but if convicted, his sentence could be considerable. Facing eight counts, the Nigerian could do up to 20 years for each of five wire fraud charges, five years for unauthorized access to a protected computer, and two years each for two counts of identity theft. ®